angular · alexeagle · Apr 27, 2018
diff --git a/.circleci/README.md b/.circleci/README.md
@@ -0,0 +1,19 @@
+# Encryption
+
+Based on https://github.com/circleci/encrypted-files
+
+In the CircleCI web UI, we have a secret variable called `KEY`
+https://circleci.com/gh/angular/angular/edit#env-vars
+which is only exposed to non-fork builds
+(see "Pass secrets to builds from forked pull requests" under
+https://circleci.com/gh/angular/angular/edit#advanced-settings)
+
+We use this as a symmetric AES encryption key to encrypt tokens like
+a GitHub token that enables publishing snapshots.
+
+To create the github_token file, we take this approach:
+- Find the angular-builds:token in http://valentine
+- Go inside the ngcontainer docker image so you use the same version of openssl as we will at runtime: `docker run --rm -it angular/ngcontainer`
+- echo "https://[token]:@github.com" > credentials
+- openssl aes-256-cbc -e -in credentials -out .circleci/github_token -k $KEY
+- If needed, base64-encode the result so you can copy-paste it out of docker: `base64 github_token`
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -158,6 +158,16 @@ jobs:
   publish_snapshot:
     <<: *job_defaults
     steps:
+      # See below - ideally this job should not trigger for non-upstream builds.
+      # But since it does, we have to check this condition.
+      - run:
+          name: Skip this job for Pull Requests and Fork builds
+          # Note, `|| true` on the end makes this step always exit 0
+          command: '[[
+              -v CIRCLE_PR_NUMBER
+              || "$CIRCLE_PROJECT_USERNAME" != "angular"
+              || "$CIRCLE_PROJECT_REPONAME" != "angular"
+          ]] && circleci step halt || true'
       - checkout:
           <<: *post_checkout
       - attach_workspace:
@@ -166,6 +176,9 @@ jobs:
       # This is not compatible with our mechanism of using a Personal Access Token
       # Clear the global setting
       - run: git config --global --unset "url.ssh://git@github.com.insteadof"
+      - run:
+          name: Decrypt github credentials
+          command: 'openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out ~/.git_credentials'
       - run: ./scripts/ci/publish-build-artifacts.sh
 
   aio_monitoring:
@@ -191,8 +204,7 @@ workflows:
           # Note: no filters on this job because we want it to run for all upstream branches
           # We'd really like to filter out pull requests here, but not yet available:
           # https://discuss.circleci.com/t/workflows-pull-request-filter/14396/4
-          # Instead, the publish-build-artifacts.sh script just terminates when
-          # CIRCLE_PR_NUMBER is set.
+          # Instead, the job just exits immediately at the first step.
           requires:
             # Only publish if tests and integration tests pass
             - test

diff --git a/.circleci/github_token b/.circleci/github_token
@@ -1 +1,3 @@
-Salted__����˓]���O�ʤu'��Uzh���bE�]+�xC�Y-�?�c"q�;ƲK@l#�xހ�I�1&w0�+�\p/O�;�
+Salted__)I���s(<_���T��?�
+� ӳy��𔰳���&A�
+I]����4�������?�I
diff --git a/scripts/ci/publish-build-artifacts.sh b/scripts/ci/publish-build-artifacts.sh
@@ -64,7 +64,7 @@ function publishRepo {
   BUILD_VER="${LATEST_TAG}+${SHORT_SHA}"
   if [[ ${CI} ]]; then
     (
-      # The file ~/.git_credentials is created below
+      # The file ~/.git_credentials is created in /.circleci/config.yml
       cd $REPO_DIR && \
       git config credential.helper "store --file=$HOME/.git_credentials"
     )
@@ -122,19 +122,7 @@ CUR_BRANCH=${CIRCLE_BRANCH:-$(git symbolic-ref --short HEAD)}
 if [ $# -gt 0 ]; then
   ORG=$1
   publishPackages "ssh" dist/packages-dist $CUR_BRANCH
-
-elif [[ \
-    "$CIRCLE_PROJECT_USERNAME" == "angular" && \
-    "$CIRCLE_PROJECT_REPONAME" == "angular" && \
-    ! -v CIRCLE_PR_NUMBER ]]; then
+else
   ORG="angular"
-  # $KEY is set on CI only for non-PR builds. See /.circleci/README.md
-  openssl aes-256-cbc -d -in .circleci/github_token -k "${KEY}" -out "${HOME}/.git_credentials"
-
   publishPackages "http" dist/packages-dist $CUR_BRANCH
-  # Clean up the credentials file out of caution
-  rm "${HOME}/.git_credentials"
-
-else
-  echo "Not building the upstream/${CUR_BRANCH} branch, build artifacts won't be published."
 fi